Secrets quality profile is not getting picked by sonarqube analysis

Sonarqube version : sonarqube-10.4.1.88267 / Developer Edition

Sonarqube analysis is not picking up Secrets quality profile though there are secrets in the scanned code.
The quality profile is assigned to all our projects but still shows usage as Never.

How to make the sonarqube use secret profile?

1 Like

It’s the same on our own internal instance of SonarQube. :thinking: I’ll flag this for attention.

Hey @RekhaY

This is indeed confusing. The profile is displayed as “used never,” while I believe if you check your logs, you will find TextAndSecretsSensor executed.

It’s a known limitation, as “Secrets” is not an actual language, and all files in the project are actually analyzed. As technically no file has “Secrets” language, corresponding profile is not marked as used.

Thanks for the feedback; we will see how we can improve this.

1 Like

Hi, I was wondering if a solution was found regarding this issue ?
The same problem occurs on the Enterprise Edition v10.5.1 of the product.

In the meantime, is there a way to add this profile automatically over all projects in addition to any profile discovered by the tool (bulk add profile function maybe) ?

Thanks :slight_smile:

Hey @zsherminator

To be clear, the QP is being applied, it’s just not showing up on the project information page.

Hello Colin, thank you for your swift reply !
After running some scans with data that must have been reported up by the tool, I am certain that the QP Secrets isn’t taken into consideration during a code analysis by default.

Unless I manually add that QP in the project settings, no vulnerabilities regarding the use of confidential information (such as credentials, tokens or AWS keys for example) are reported.

Furthermore, even when I added that QP to the project, ran a scan and got a report informing me about the usage of confidential information, the message “Never” still appears under the “Used” property.

Hey @zsherminator!

I can’t reproduce that. Here I have an issue raised by that QP.

Meanwhile I have nothing specific configured for my project’s Quality Profiles.

Have you done any manual configuration of the default Secrets Quality Profile in SonarQube, or is the default the built-in Sonar Way?

It’s the default built-in Sonar Way